Three employees in the U.S. working in the cybersecurity field are facing jail time for allegedly causing ransomware attacks in collaboration with the popular ALPHV, or BlackCat ransomware gang. Instances of ‘defenders’ turning into ‘attackers’ are very concerning for companies. Goldberg and Martin are accused in the indictment and were part of a conspiracy that included an unnamed co-conspirator.
How did they get away with it?
All of the named individuals are United States nationals. Between May and November of 2023, all 4 of the accused conspired to gain unauthorized access to the networks of the victims and deploy the BlackCat/ALPHV ransomware while extorting the victims for cryptocurrency. All of it was allegedly done for 5 companies that are in the United States.
Some of the companies that were attacked include a medical device company in Tampa, a pharmaceuticals company in Maryland, and a doctor’s office in California.
Goldberg was attacking under the title of an incident-response manager at the cybersecurity company, Sygnia.
Reports claim that the extortion demands were between $300,000 and $10 million. One of the victims was said to have paid $1.27 million in cryptocurrency after a demand of $10 million.
The hacker news: A ransomware conspiracy
On the other side of the conspiracy, Goldberg and Martin were said to work closely with the unnamed co-conspirator to facilitate the transactions of the ransom. Martin was a ransomware threat negotiator at DigitalMart.
Indictments showcase growing Ransomware as a Service (RaaS) affiliate networks. BlackCat/ALPHV are RaaS affiliate hackers. BlackCat/ALPHV have allied insiders who facilitate attacks, providing services to down-the-line hackers.
Goldberg and Martin face multiple charges that include:
- Conspiracy to interfere with commerce by extortion
- Extortion affecting interstate commerce
- Intentional damage to a protected computer
All of these systems were interconnected. If the court convicts this charge, they might face a possible 50 years in a federal penitentiary.
External hackers are a threat, but what about the people targeting the system from the inside?
The cyber professionals who are alleged to have suspected insider access to the confidential corporate cybersecurity system are incident-response, ransomware-negotiation professionals, and corporate ransomware extortion specialists.
As in this scenario, businesses face significant danger from suppliers. This includes external providers for incident response, threat negotiation, and forensic services.ย This example raises novel and important supplier, vendor, and partner oversight and risk management strategies.
If a supplier is imperiled and causes the rogue act, the afflicted businesses could incur reputational damage, regulatory challenges, and liability. Legally, the affected businesses face reputational risk, and their vendor risk management frameworks should permeate liability, trust, and background checks.
What organizations can do to mitigate the situation
- Build rigorous controls and oversight systems for vendors: Defining vendor controls streamlines burden supervision
- Apply internal controls to external agents: Treat external contractors and consultants who are given privileged access like internal staff regarding surveillance, access control, and audits
- Contain the “what if” scenario: Conduct incident-response drills assuming that the compromised trusted service provider can be swiftly pivoted, isolated, and switched
- Contractual safeguards: Update misuse-of-access, auditing rights, and rapid termination, escrow of decryption keys, and notification obligations clauses in contracts
- Governance communication: Update the senior leadership and the board of directors on this newly evolving threat vector – it can no longer be only external hackers; trusted insiders or cooperators can go rogue
This indictment brings attention to a difficult situation in the ransomware-threat landscape.
The very people who were trained to defend networks are now accused of using their skills against the organizations they were meant to protect. This case raises concerns in the area of trust, vendor risk, and the assumption that access, credentials, and reputation are determinants for trust and safe behavior.